NFTs holders have become prime targets for scams of all kinds. And when the purchased token is well backed by a real project, phishing attacks take over. This is to strip those particular victims of the acquired rights to their precious digital photos. A fact that has hit the Bored Ape Yacht Club community time and time again in recent months, with losses amounting to millions of dollars. But BAYC holders aren’t the only ones getting drunk. And as the CertiK Security Framework points out, there are some crypto-cleanliness rules.
The results are as disturbing as they are overwhelming. More than 90% of NFT holders have been victims of a proven scam. With sometimes huge losses, depending on the group involved. And over the past few months, intense phishing campaigns have been targeting holders of Bored Ape Yacht Club. The latest version was made a few days ago, after a community manager’s Discord account was hacked. All for an estimated damage of 142 ETH (over $255,000 at the time of events).
Of course, there are few (if any) possible appeals. And all groups are targeted, even if the most popular are the favourite. By well-designed, but often identifiable actions for those who do not give up in a hurry. Elements that were partially emphasized by CertiK’s security architecture in a recent post on this topic.
NFT – Digital Clean vs Phishing
Everything is called digital hygiene. And it is always easier to introduce it than to apply it to oneself. Especially when the encountered link specifies that there are only a hundred copies that can be obtained as quickly as possible. And that – with the greatest chance – your title has been chosen for participation. This ultimately ends up handing his NFTs over to the hacker while at the same time billing network costs to send them to him. A traditional phishing procedure, but one that nonetheless continues to wreak havoc. That is why this development seems necessary once again.
And even if this type of attack doesn’t just affect the NFT token sector, the latter seems to have become a particularly advantageous playing field. This is probably in part because its adoption largely comes from the crypto area, which is (slightly) more resistant to this kind of inconvenience. Or because its structural indivisibility (not replaceable) makes this type of operation simpler and more profitable. Whatever the case, the owners should beware of the links sent to them, or put them on social networks to wait for the next victim.. Because traps are everywhere…
NFT – How to identify a phishing site?
This is why the CertiK structure has just published a report on the attacks on the BAYC community. Highlighting the points that must be taken into account in order to identify a carbon copy of their official website, which was created to deceive its victims. But it lacked, among other things, the classic links that redirect to social networking accounts. The differences are presented as “minor” but, once identified, should trigger all alerts…and leak!
” The phishing link posted on BAYC’s Discord has been redirected to a carbon copy of the project’s official website, but with slight differences. First, there were no links to any social media accounts. There was also an added tab titled Claim Free Land which specifically caters to the owners of popular NFT projects.”
Just like being fooled by a Twitter post that appears to be official, but his “@” account isn’t reassuring. This is even if it takes advantage of the valuable verification code that one wonders how Twitter distributes it. Which your account is marked under an unlikely list copied/pasted in the comments. With this fairly simple rule of thumb: What comes to you is suspicious and needs to be checked. By going to the official account of the project, which is supposed to implement the “gifts” campaign. And on the basis of the principle that the slightest doubt must be removed, even if it risks missing an “opportunity” by which everything is improbable. Because it contains the improbable everything!